Hi, Am Montag, den 03.10.2011, 10:01 -0300 schrieb Felipe Almeida Lessa: > Please be advised that clientsession < 0.7.3.1 is vulnerable to timing > attacks [1]. We have just released a fix and it's already on Hackage > [2]. We advise all users of clientsession (and, consequently, Yesod) > to upgrade as soon as possible to a version >= 0.7.3.1. > > With a timing attack a malicious user may be able to construct a valid > MAC for his message. However, the attacker is not able to recover the > MAC key or the encryption key. So you don't need to change your keys, > just upgrade ASAP. > > Cheers, =) > > [1] https://github.com/snoyberg/clientsession/pull/4 > [2] http://hackage.haskell.org/package/clientsession-0.7.3.1 I guess this means we should update as well. For that, we’d need at least skein to be packaged for Debian. Any takers? I won’t have time before tomorrow evening the earliest. (I have already commited the version bump of clientsession to darcs, but nothing else, in particular not the dependency bumps.) Greetings, Joachim -- Joachim "nomeata" Breitner Debian Developer nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata
Attachment:
signature.asc
Description: This is a digitally signed message part